Abstract
Industrial Internet of Things (IIoT) gateways are affected by many cybersecurity threats, compromising their security and dependability. These gateways usually represent single points of failure on the IIoT infrastructure. When compromised, they can disrupt the entire system, including the security of the IIoT devices and the confidentiality and privacy of the data. This paper introduces a Secure IIoT Gateway Architecture that encompasses Trusted Execution Environment concepts and consolidated security algorithms to achieve a secure IIoT environment. Sensitive procedures of the IIoT, like device admission, bootstrapping, key management, authentication, and data exchange among operational technology (OT) and information technology (IT) are handled by the gateway inside the secure execution domain. The bootstrapping does not require devices to have any pre-stored secret or a pre-established secure channel to any trusted third party. Moreover, our architecture includes mechanisms for IIoT devices to safely interact with the Cloud without assuming the integrity of the gateways between them, enabling continuous verification of gateway integrity. A formal proof of the proposed solution security is provided. Finally, the security of the proposed architecture is discussed according to the specified requirements.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10922-023-09723-6/MediaObjects/10922_2023_9723_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10922-023-09723-6/MediaObjects/10922_2023_9723_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10922-023-09723-6/MediaObjects/10922_2023_9723_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10922-023-09723-6/MediaObjects/10922_2023_9723_Fig4_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10922-023-09723-6/MediaObjects/10922_2023_9723_Fig5_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs10922-023-09723-6/MediaObjects/10922_2023_9723_Fig6_HTML.png)
Similar content being viewed by others
Notes
A platform like this, with the same assumptions and mechanisms, can also be used for OT devices. However, since OT are isolated from the IT by the gateway, trustfulness is often regarded as a function of design, implementation, and operation of such devices and their coordination in an IIoT segment.
The ECDH’s key pair is generated using an elliptic curve, which makes it 10 times more efficient than the traditional Diffie-Hellman for 256 bits ECDH keys [32]. Moreover, this difference increases whenever we increase the size of the key. In [33], the performance of the ECDH algorithm was assessed on an embedded platform featuring a 32-bit, 26MHz ARM7TDMI-S processor with 128kB of flash memory and 96kB of RAM, with execution time in the granularity of a few seconds, which demonstrates the ability of this simple platform to perform such operations. Finally, this key generation is only required once in the proposed bootstrap process, therefore, further key generation will happen very sporadically given the key management procedure.
\(64KB-1B\) is the maximum Data length supported by TSTP [26].
References
Diro, A.A., Chilamkurti, N., Kumar, N.: Lightweight cybersecurity schemes using elliptic curve cryptography in publish-subscribe fog computing. Mobile Netw. Appl. 22(5), 848–858 (2017). https://doi.org/10.1007/s11036-017-0851-8
Cionca, V., Newe, T., Dădârlat, V.T.: Configuration tool for a wireless sensor network integrated security framework. J. Netw. Syst. Manage. 20(3), 417–452 (2011). https://doi.org/10.1007/s10922-011-9219-8
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017). https://doi.org/10.1109/mc.2017.201
Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H.H., Radford, A., Sivaraman, V.: Quantifying the reflective DDoS attack capability of household IoT devices. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks—WiSec ’17, pp. 46–51. ACM Press (2017)
Bali, R.S., Jaafar, F., Zavarasky, P.: Lightweight authentication for MQTT to improve the security of IoT communication. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy. ICCSP ’19, pp. 6–12. Association for Computing Machinery, New York, NY (2019)
The Things Network.: LoRaWan security, sponsored by The Things Industry. Retrieved from https://www.thethingsnetwork.org/docs/lorawan/security.html. Accessed 03 Nov 2020
Naoui, S., Elhdhili, M.E., Saidane, L.A.: Lightweight and secure password based smart home authentication protocol: LSP-SHAP. J. Netw. Syst. Manage. 27(4), 1020–1042 (2019). https://doi.org/10.1007/s10922-019-09496-x
Pinto, S., Gomes, T., Pereira, J., Cabral, J., Tavares, A.: IIoTEED: an enhanced, trusted execution environment for industrial IoT edge devices. IEEE Internet Comput. 21(1), 40–47 (2017). https://doi.org/10.1109/mic.2017.17
Ukil, A., Sen, J., Koilakonda, S.: Embedded security for Internet of Things. In: 2011 2nd National Conference on Emerging Trends and Applications in Computer Science, pp. 1–6. IEEE (2011)
Lesjak, C., Hein, D., Winter, J.: Hardware-security technologies for industrial IoT: TrustZone and security controller. In: IECON 2015—41st Annual Conference of the IEEE Industrial Electronics Society. IEEE, p. 2589–2595 (2015)
Panchal, A.C., Khadse, V.M., Mahalle, P.N.: Security issues in IIoT: a comprehensive survey of attacks on IIoT and its countermeasures. In: 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN), pp. 124–130. IEEE (2018)
Togay, C., Mutlu, G., Kurtulus, D., Özgür, F.: Secure gateway for the internet of things. Avrupa Bilim ve Teknol. Dergisi (2019). https://doi.org/10.31590/ejosat.524783
Navarro-Ortiz, J., Sendra, S., Ameigeiras, P., Lopez-Soler, J.M.: Integration of LoRaWAN and 4G/5G for the industrial internet of things. IEEE Commun. Mag. 56(2), 60–67 (2018). https://doi.org/10.1109/mcom.2018.1700625
Lin, I.C., Hsu, H.H., Cheng, C.Y.: A cloud-based authentication protocol for RFID supply chain systems. J. Netw. Syst. Manage. 23(4), 978–997 (2015). https://doi.org/10.1007/s10922-014-9329-1
Kuo, F.C., Tschofenig, H., Meyer, F., Fu, X.: Comparison studies between pre-shared and public key exchange mechanisms for transport layer security. In: Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications, pp. 1–6. IEEE (2006)
Bienhaus, D., Ebner, A., Jäger, L., Rieke, R., Krauß, C.: Secure gate: secure gateways and wireless sensors as enablers for sustainability in production plants. Simul. Model. Pract. Theory 109, 102282 (2021). https://doi.org/10.1016/j.simpat.2021.102282
Sebastian, D.J., Agrawal, U., Tamimi, A., Hahn, A.: DER-TEE: secure distributed energy resource operations through trusted execution environments. IEEE Internet Things J. 6(4), 6476–6486 (2019). https://doi.org/10.1109/JIOT.2019.2909768
Lee, S., Heo, M., Park, K., Kim, B., Hong, J.: Enhancing the security of IoT gateway based on the classification of user security-sensitive data. In: Proceedings of the Conference on Research in Adaptive and Convergent Systems. RACS ’19, pp. 241–243. Association for Computing Machinery, New York, NY (2019)
Ling, Z., Yan, H., Shao, X., Luo, J., Xu, Y., Pearson, B., et al.: Secure boot, trusted boot and remote attestation for ARM TrustZone-based IoT Nodes. J. Syst. Architect. 119, 102240 (2021). https://doi.org/10.1016/j.sysarc.2021.102240
Tange, K., De Donno, M., Fafoutis, X., Dragoni, N.: A systematic survey of industrial internet of things security: requirements and fog computing opportunities. IEEE Commun. Surv. Tutor. 22(4), 2489–2520 (2020). https://doi.org/10.1109/COMST.2020.3011208
Li, J., Tang, X., Wei, Z., Wang, Y., Chen, W., An Tan, Y.: Correction to: Identity-based multi-recipient public key encryption scheme and its application in IoT. Mobile Netw. Appl. (2020). https://doi.org/10.1007/s11036-020-01512-8
Lucena, M., Scheffel, R.M., IoT, Fröhlich. A.A..: Protocol, gateway integrity checking. In: IX Brazilian Symposium on Computing Systems Engineering (SBESC), vol. 2019, pp. 1–8. IEEE (2019)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). https://doi.org/10.1145/359657.359659
Dolev, D., Yao, A.C.: On the security of public key protocols. In: 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981), pp. 350–357. IEEE (1981)
Hu, P., Ning, H., Qiu, T., Song, H., Wang, Y., Yao, X.: Security and privacy preservation scheme of face identification and resolution framework using fog computing in internet of things. IEEE Internet Things J. 4(5), 1143–1155 (2017). https://doi.org/10.1109/JIOT.2017.2659783
Resner, D., Fröhlich, A.A.: Design rationale of a cross-layer, trustful space-time protocol for wireless sensor networks. In: 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), pp. 1–8. IEEE (2015)
Scheffel, R.M., Fröhlich, A.A.: FT-TSTP: a multi-gateway fully reactive geographical routing protocol to improve WSN reliability. In: 2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2018)
IEEE: IEEE standard for a precision clock synchronization protocol for networked measurement and control systems. In: IEEE Std 1588–2002, pp.1–154, 31 Oct. 2002. https://doi.org/10.1109/IEEESTD.2002.94144
Resner, D., Fröhlich, A.A.: Speculative precision time protocol: submicrosecond clock synchronization for the IoT. In: 21st IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2016), pp. 1–8. Berlin, Germany (2016)
IEC. Industrial Communication Networks—Fieldbus Specifications—Part 1: Overview and Guidance for the IEC 61158 and IEC 61784 Series. International Electrotechnical Commission, Geneva (2019)
Isobe, T., Shibutani, K.: Preimage Attacks on Reduced Tiger and SHA-2. In: Fast Software Encryption, pp. 139–155. Springer, Berlin (2009)
National Security Agency: The case for elliptic curve cryptography (2005, October 13). Retrieved from https://web.archive.org/web/20051013062853/http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm. Accessed November 3, 2020
Resner, D., Augusto, Fröhlich, A.: Key establishment and trustful communication for the Internet of Things. In: Proceedings of the 4th International Conference on Sensor Networks—SENSORNETS,. INSTICC, pp. 197–206. SciTePress (2015)
Certicom Research: SEC 2: recommended elliptic curve domain parameters (2010, January 27). Retrieved from https://www.secg.org/sec2-v2.pdf. Accessed November 3, 2020
Aziz, B., Hamilton, G.: Detecting man-in-the-middle attacks by precise timing. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 81–86. IEEE (2009)
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Proceedings of Fast Software Encryption, pp. 32–49. Paris, France (2005)
Resner, D.: Performance Evaluation of the Trustful Space-Time Protocol [M.Sc. Thesis]. Federal University of Santa Catarina. Florianópolis (2018). https://repositorio.ufsc.br/handle/123456789/189296
Carlos, M.C., Martina, J.E., Price, G., Custódio, R.F.: An updated threat model for security ceremonies. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing. SAC ’13, pp. 1836–1843. Association for Computing Machinery, New York, NY (2013). https://doi.org/10.1145/2480362.2480705
Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016, 86 (2016)
Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache Attacks on Intel SGX. In: Proceedings of the 10th European Workshop on Systems Security. EuroSec’17, pp. 1–6. Association for Computing Machinery, New York, NY (2017)
Fröhlich, A.A.: SmartData: an IoT-ready API for sensor networks. Int. J. Sens. Netw. 28(3), 202 (2018). https://doi.org/10.1504/ijsnet.2018.096264
Funding
This study was financed in part by grants 2020/05142-1, 2021/02384-7, and 2021/02385-3, São Paulo Research Foundation (FAPESP).
Author information
Authors and Affiliations
Contributions
AAF: Conceptualization, Writing—Review & Editing, Supervision. LPH: Conceptualization, Formal analysis, Writing—Review & Editing, Investigation. JLCH: Conceptualization, Formal analysis, Writing - Review & Editing, Investigation.
Corresponding author
Ethics declarations
Conflict of interest
The authors have declared no conflicts of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Fröhlich, A.A., Horstmann, L.P. & Hoffmann, J.L.C. A Secure IIoT Gateway Architecture based on Trusted Execution Environments. J Netw Syst Manage 31, 32 (2023). https://doi.org/10.1007/s10922-023-09723-6
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10922-023-09723-6